Skip to main content

Privacy Policy

Last updated: April 2026

1. Data Controller

The controller of your personal data is EYBA OÜ, registry code 16827612, VAT EE102660924, registered address Rätsepa tee 5, Järveküla, Rae vald, Harju maakond, 75304, Estonia. For any privacy or data protection questions, contact us at team@eybaglobal.com — we respond within 30 days. We have not appointed a Data Protection Officer (DPO), as this is not legally required given the size of our organization.

2. What Data We Collect

We collect four categories of data. (1) Contact form (/contact): your name, email, company (optional), and message content — sent by email directly to our team inbox and not stored in any separate database. (2) Market Entry Readiness Assessment (/tools/market-entry-readiness): first name, last name, email, phone (optional), company, your answers to 9 questions (each scored 0–3), and the resulting total, dimension, and level scores — sent both to our team inbox and to you as a results summary. If you tick the relevant box, the team notification also includes your consent to receive marketing emails. (3) Language preference: a cookie named "locale" that remembers your ET/EN choice. (4) Google Analytics 4: if you grant consent in the cookie banner, we use cookies (_ga, _gid, etc.) that collect aggregate statistics about page views, session duration, device, approximate location, and traffic source.

3. Purpose and Legal Basis

We process your data on the following bases (GDPR Art. 6): contact form messages — your consent (Art. 6(1)(a)) given when you submit the form; sending assessment results to your email — your consent (Art. 6(1)(a)); keeping assessment data in our team inbox for follow-up and service improvement — legitimate interest (Art. 6(1)(f)); marketing emails (newsletters, export-related materials) — separate consent (Art. 6(1)(a)) given by ticking the marketing-consent checkbox in the assessment form, which you can withdraw at any time; Google Analytics — your consent (Art. 6(1)(a)) given via the cookie banner; the locale cookie — legitimate interest (Art. 6(1)(f)) for site functionality.

4. Data Retention

Contact form messages and assessment data are kept in our team inbox for as long as needed for the relationship (typically up to 3 years after the last contact), then deleted. Marketing-consent status is part of the team's assessment notification and lasts as long as we keep your record, or until you withdraw consent. Google Analytics data is retained for 14 months (the GA4 default for personal data). The locale cookie expires after 1 year.

5. Who We Share Data With — Processors

We do not sell or trade your personal data. To deliver the service, we use the following data processors: Vercel Inc. (USA) — website hosting, covered by Vercel's standard Data Processing Addendum (DPA); Zone Media OÜ (Estonia) — email sending (SMTP) and domain, standard agreement with the Estonian provider; Google LLC (USA) — Google Analytics, covered by Google's Analytics DPA. All processors handle your data only on our instructions and only for delivering the service.

6. International Data Transfers

Some of our processors (Vercel, Google) are located outside the European Economic Area, primarily in the United States. Such transfers are protected by the European Commission's Standard Contractual Clauses (SCCs), the processors' certification under the EU-US Data Privacy Framework where applicable, and their EU representatives where applicable. Our team email is operated by the Estonian provider Zone Media OÜ, which means most contact-form and assessment data resides in the EU.

7. Cookies

eybaglobal.com uses the following cookies and local-storage entries. "locale" — remembers your language (ET/EN) choice, functional (necessary), expires after 1 year. "cookie-consent" (localStorage, not technically a cookie) — stores your analytics-consent choice, functional, persists until you clear your browser storage. "_ga" — Google Analytics user ID, analytics (consent required), expires after 2 years. "_ga_<container>" — Google Analytics session, analytics (consent required), expires after 2 years. "_gid" — Google Analytics user differentiation, analytics (consent required), expires after 24 hours. When you visit the site, a cookie banner asks for your consent to load analytics cookies — Google Analytics is loaded only after you accept. You can change or withdraw your choice at any time via the "Cookie settings" link in the footer. Functional cookies (locale, cookie-consent) are necessary for the site to work and do not require separate consent (under the ePrivacy directive).

8. Your Rights

Under the GDPR (Art. 15–22), you have the right to: access your data (Art. 15), rectify inaccurate data (Art. 16), erase your data ("right to be forgotten", Art. 17), restrict processing (Art. 18), data portability (Art. 20), object to processing (Art. 21), and withdraw consent at any time (Art. 7(3)) — for cookies via the "Cookie settings" link in the footer, for marketing emails via the unsubscribe link in each email, and in general by emailing team@eybaglobal.com. We respond within 30 days. If you believe we have infringed your rights, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI) — Tatari 39, 10134 Tallinn, https://www.aki.ee.

9. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. All data exchanged between the site and your browser is encrypted (HTTPS/TLS), access to the team inbox and internal systems is role- and password-based, and authentication uses strong methods. In the event of a data breach, we notify affected individuals and the Estonian Data Protection Inspectorate in line with GDPR requirements.

10. Changes to This Policy

We may update this privacy policy from time to time — for example, when we add new services, change processors, or refine the legal bases. The current version is always on this page, and the "Last updated" date at the top reflects the version in force. We will give advance notice of material changes on the site and, where appropriate, by email.